trace-cmd: Make msgcpy() and optcpy() check for size

Have msgcpy() and optcpy() test the offset + buflen to see if it would overwrite the size of the msg or opt. If so, return -ENIVAL. The checking of this return value still needs to be done, but at least we wont be accidentally overwriting the memory. Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
author: Steven Rostedt (Red Hat) <rostedt@goodmis.org> 2015-09-14 14:00:16 -0400
committer: Steven Rostedt <rostedt@goodmis.org> 2016-03-21 18:05:51 -0400
commit: 42fc96f520796c7d18c7372b6ad80292d4a0bc21 (patch)
tree: 4813b0ec37267382eb700fabc5ea54979eb314b9
parent: d4321519aec1d6aba5edd5582c21903132990b3d (diff)
download: trace-cmd-42fc96f520796c7d18c7372b6ad80292d4a0bc21.tar.gz
1 files changed, 10 insertions, 2 deletions
diff --git a/trace-msg.c b/trace-msg.c
index 373f3746..cacdc1c9 100644
--- a/trace-msg.c
+++ b/trace-msg.c
@@ -154,16 +154,24 @@ static int tracecmd_msg_alloc(u32 cmd, u32 len, struct tracecmd_msg **msg)
 	return 0;
 }
 
-static void msgcpy(struct tracecmd_msg *msg, u32 offset,
+static int msgcpy(struct tracecmd_msg *msg, u32 offset,
 		   const void *buf, u32 buflen)
 {
+	if (offset + buflen > ntohl(msg->size))
+		return -EINVAL;
+
 	memcpy(((void *)msg)+offset, buf, buflen);
+	return 0;
 }
 
-static void optcpy(struct tracecmd_msg_opt *opt, u32 offset,
+static int optcpy(struct tracecmd_msg_opt *opt, u32 offset,
 		   const void *buf, u32 buflen)
 {
+	if (offset + buflen > ntohl(opt->size))
+		return -EINVAL;
+
 	memcpy(((void *)opt)+offset, buf, buflen);
+	return 0;
 }
 
 enum msg_opt_command {
author	Steven Rostedt (Red Hat) <rostedt@goodmis.org>	2015-09-14 14:00:16 -0400
committer	Steven Rostedt <rostedt@goodmis.org>	2016-03-21 18:05:51 -0400
commit	42fc96f520796c7d18c7372b6ad80292d4a0bc21 (patch)
tree	4813b0ec37267382eb700fabc5ea54979eb314b9
parent	d4321519aec1d6aba5edd5582c21903132990b3d (diff)
download	trace-cmd-42fc96f520796c7d18c7372b6ad80292d4a0bc21.tar.gz